Word-level Sequential Memory Abstraction for Model Checking Per Bjesse November 19, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A

© 2008 Synopsys, Inc. (2) An interesting observation Even though certain complex systems contains very large memories, we can prove their correctness by reasoning about a much smaller number of memory entries at a time.

© 2008 Synopsys, Inc. (3) Our idea We abstract a word-level design by only representing a small number of memory entries  Writes to unrepresented slots are dropped  Reads from unrepresented slots return nondeterministic values We use an abstraction refinement loop to figure out what slots needs to be represented.

© 2008 Synopsys, Inc. (4) Assumptions Problem has been cast as a word-level netlist with a single dedicated output safe signalling that the properties at hand currently hold  We are hence checking that no trace exists to a state where safe is false Constraints have been modelled as part of the netlist.  All inputs are unconstrained.

© 2008 Synopsys, Inc. (5) Word-level netlist format DAG over input variables, state variables, and constant vectors. Internal nodes (superscripts indicate number of bits in signal): The op l nodes are particular combinational functions of their inputs such as and or +

© 2008 Synopsys, Inc. (6) Memory manipulation nodes Two internal nodes are used to model memories: The read node projects out the interval [addr*k,…,(addr+1)*k-1] from op. The write node returns the result of substituting data into the the interval [addr*j,…,(addr+1)*j-1] of op.

© 2008 Synopsys, Inc. (7) A motivating example  The state variable mem is initialized to contain the value zero in every slot.  We check that we never read out the value 100. Memory subsystem

© 2008 Synopsys, Inc. (8) The “memory interface” Memory subsystem write addr write data read data read addr wa wd ra rw A read and a write happens every cycle Reads happen before writes

© 2008 Synopsys, Inc. (9) Reimplementing the memory subsystem  The new memory has a single slot represented by a variable cont initialized to zero.  The adress that is represented is stored in the variable sel. This variable is uninitialized, and never changes.  A fresh input is used to return a nondeterministic value for missed reads.

© 2008 Synopsys, Inc. (10) Checking the modified design. The modified design clearly overapproximates the original design, so the abstraction is sound! What happens when we try to check it?

© 2008 Synopsys, Inc. (11) Checking the modified design. The modified design clearly overapproximates the original design, so the abstraction is sound! What happens when we try to check it?  FAILURE.  The counterexample shows a run where the represented slot is different from the slot read in the last time instance, and where ndtread is equal to 100.  Fix: We have to make sure that the selected slot always is the correct slot!

© 2008 Synopsys, Inc. (12) Modifying the safe output We rewrite the safety output as follows: Model checking now shows that the system is safe The old network driving the safe output

© 2008 Synopsys, Inc. (13) Why is the transformations sound? Can be seen as two steps: 1.Adding the selector register sel, and rewriting the output safe to sel=raddr -> read(mem,raddr) != 100 This preserves all counterexamples (if there are any), so it is sound---we can always pick the initial value of sel to have the value of raddr so the new safe output fails too. 2.Rewriting the memory subsystem so that it only represents the slot selected by sel This is also sound; the newly generated memory simulates the old memory.

© 2008 Synopsys, Inc. (14) Generalizing the supported memory subsystems Example memory subsystem:  Single read port, single write port  Read before write In paper:  Arbitrary number of read and write ports  Any policy on read/update priorities  We sweep the netlist and isolate memory subsystem regions that can be abstracted.

© 2008 Synopsys, Inc. (15) Generalizing the abstraction In our example, we abstracted over the value of raddr at the current time instance. In general we may need to do several reads correctly over time  Forwarding multi-part messages… We generalize this to allow abstraction over a set of pairs (node i, time i ), where node i is some netlist node and time i is some integer delay.

© 2008 Synopsys, Inc. (16) Abstracting memories (ctd.) Every abstraction pair (node i, time i ), induces two new registers cont i and sel i We generate logic that simulates the old subsystem and performs updates to the selected slots correctly (see paper).

© 2008 Synopsys, Inc. (17) Rewriting the output condition We abstract over a set of pairs (nd i, t i ), where nd i is some netlist node and t i is some integer delay. Assume safedef is the fanin node of the safe node, and that prev(d, Á ) is a temporal operator that holds precisely if t > d and Á held d timesteps ago. We then construct safe to be the implementation of the checker prev(t 0, sel 0 = nd 0 ) Æ … Æ prev(t N, sel N = nd N ) ! safedef

© 2008 Synopsys, Inc. (18) Correctness Theorem: If the design has been abstracted using a set of abstraction pairs with maximum t i equal to d, the original design is provable if: 1.The transformed design is provable. 2.The original design has no counterexamples of length d or shorter. The correctness follows from a generalization of the informal argument for the motivating example.

© 2008 Synopsys, Inc. (19) Extracting the abstraction pairs (nd i, t i ), The main crux is now to find a sufficient set of abstraction pairs. We use an abstraction-refinement loop Initial abstraction contains no abstraction pairs We need to add pairs when we find a failure.

© 2008 Synopsys, Inc. (20) Finding new pairs A spurious failure trace on the abstracted design must have generate the wrong output on some number of read nodes over time. We compare the simulation trace on the original and abstract design and find a minimum set of read node outputs that needs to be fixed. Each mismatching read node gives rise to an abstraction pair, where  the delay is the time distance to the failure cycle  the node is either (1) the address field of the read node, or (2) some other network node containing the current address of the read node.

© 2008 Synopsys, Inc. (21) Experimental work We investigate the results of applying the reduction to three designs  Industrial FIFO  Industrial Content Addressable Memory (CAM)  Academic high performance router These are fundamental building blocks in more complex systems Intractable for standard model checking due to large datapaths, intermingled with nontrivial control We couple the memory abstraction with word-level bitwidth reduction (CAV’08).

© 2008 Synopsys, Inc. (22) Industrial FIFO We prove that if slot is written and has not been overwritten, then it is read out correctly Can not be solved by bit-level methods. 75 slots, 32 bits per slot Originally about 2500 registers. 276 registers after abstraction (10 seconds) 56 registers after bitwidth reduction (<1 seconds) Provable after 20 min BDD computations  image computations necessary.

© 2008 Synopsys, Inc. (23) Industrial CAM Three ports, 48 slots, each 20 bits wide. We prove that if a piece of data has been written to a slot and not overwritten, it is reported as existing in the CAM if queried Not solvable by bit-level methods (depth 8 bounded check ¼ 17 hours). Originally 1111 registers, all necessary.  156 registers after abstraction (5 seconds)  26 registers after bitwidth reduction (1 second)  Proven correct by BDD-based checking immediately.

© 2008 Synopsys, Inc. (24) Router High performance pipelined router with six ports Forwards packets broken up into flits (subpackets)  Each flit is 32 bits, and contains both payload and control data We prove that a packet injected when the router is in a neutral state, appears at the correct port within a predetermined time.

© 2008 Synopsys, Inc. (25) Router 7516 registers before reduction Full model provable using bit-level induction (6900 seconds) We detect 20 simple memories, and abstract it in 200 seconds using two abstraction pairs Post reduction we have 2196 registers. Reduced model takes 133 seconds to prove

© 2008 Synopsys, Inc. (26) Related work Word level formula decision procedures with efficient memory modelling  BAT, work from NEC, …  Makes specific choice for back-end decision procedures  Models memories in a way that only is sound for a bounded executions. STE with symbolic indexing  Not a netlist-to-netlist transformation, requires user to express properties in STE logic Program abstraction [Armando’07].  Requires necessary memory slots to have fixed address

© 2008 Synopsys, Inc. (27) Conclusions We have presented an approach for abstracting word-level memories for safety property checking.  Fully automatic  Can use any model checking technology  Allows proofs of certain systems that are out of reach for bit level model checking. As it is a netlist-to-netlist transformation, it combines nicely with other transformations. Big speedups, with relatively unsophisticated analysis.

© 2008 Synopsys, Inc. (28) Thank you!

© 2008 Synopsys, Inc. (29) Features Completely automatic, does not require user guidance We do not commit to a specific back-end model checking procedure This makes our approach orthogonal to the use of other word-level methods The method fits into a transformational verification framework netlist-to-netlist transformation